Add codemod to enforce persist-credentials: false on actions/checkout steps

[Copilot]

Cross-repo compile audits found strict-mode failures caused by actions/checkout steps missing with.persist-credentials: false, which can leave the git token in .git/config. This change adds a mechanical fix codemod so gh aw fix --write can remediate affected workflows automatically.

• Registry and codemod wiring

  • Added new codemod: checkout-persist-credentials-false
  • Registered it in the fix registry with IntroducedIn set to the current codemod release (1.0.44)

• Frontmatter step transformation

  • Scans step-like sections: pre-steps, steps, post-steps, pre-agent-steps
  • For uses: actions/checkout@* (and actions/checkout):
    • Adds a with: block when missing
    • Adds persist-credentials: false when with: exists but key is missing
    • Leaves step unchanged when persist-credentials is already set
    • Skips mutation (with warning log) when persist-credentials: true is explicitly set

• Unit coverage for acceptance scenarios

  • Added focused tests for:
    • no-with checkout step
    • existing with block missing persist-credentials
    • explicit persist-credentials: true no-op
    • multi-section behavior (pre-steps / post-steps)

• Fuzz coverage

  • Added fuzz tests for checkout-persist-credentials-false codemod behavior across supported sections and checkout/non-checkout step variants
  • Verifies expected mutate/no-mutate behavior and parser stability under generated inputs

# before
steps:
  - name: Checkout repository
    uses: actions/checkout@v5

# after
steps:
  - name: Checkout repository
    uses: actions/checkout@v5
    with:
      persist-credentials: false

[pelikhan]

@copilot add fuzz tests

[Copilot]

Pull request overview

Adds a new gh aw fix --write codemod to mechanically enforce with.persist-credentials: false on actions/checkout workflow steps to avoid leaving the Git token in .git/config.

Changes:

• Registered a new codemod (checkout-persist-credentials-false) in the fix registry and codemod ordering lists.
• Implemented a frontmatter line-transform codemod that updates actions/checkout steps across step-like sections (pre-steps, steps, post-steps, pre-agent-steps).
• Added unit tests covering key acceptance scenarios (no with, existing with missing key, explicit true no-op, multi-section updates).

Show a summary per file

File	Description
pkg/cli/fix_codemods.go	Registers the new codemod in the overall codemod list.
pkg/cli/fix_codemods_test.go	Updates expected codemod presence and ordering assertions.
pkg/cli/codemod_checkout_persist_credentials_false.go	Implements the new codemod’s YAML frontmatter line transformation.
pkg/cli/codemod_checkout_persist_credentials_false_test.go	Adds unit tests for the new codemod behavior.
.github/workflows/issue-monster.lock.yml	Minor comment-only adjustment in a locked workflow file.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 2

[pelikhan]

@copilot review all comments

[Copilot]

@copilot add fuzz tests

Implemented in fa75197 (with fuzz test introduced in a46383a): added FuzzCheckoutPersistCredentialsFalseCodemod in pkg/cli/codemod_checkout_persist_credentials_false_fuzz_test.go and validated with go test ./pkg/cli -run=^$ -fuzz=FuzzCheckoutPersistCredentialsFalseCodemod.